Analysis Overview
SHA256
3354897a23fb633c5d31978f5ed8fd040a585c8267ad720b66270babe14905e5
Threat Level: Known bad
The file 3354897a23fb633c5d31978f5ed8fd040a585c8267ad720b66270babe14905e5 was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
ASPack v2.12-2.42
Executes dropped EXE
Checks computer location settings
Deletes itself
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-09 20:09
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-09 20:09
Reported
2024-08-09 20:11
Platform
win7-20240704-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sesyd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ajfac.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3354897a23fb633c5d31978f5ed8fd040a585c8267ad720b66270babe14905e5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sesyd.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sesyd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ajfac.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3354897a23fb633c5d31978f5ed8fd040a585c8267ad720b66270babe14905e5.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3354897a23fb633c5d31978f5ed8fd040a585c8267ad720b66270babe14905e5.exe
"C:\Users\Admin\AppData\Local\Temp\3354897a23fb633c5d31978f5ed8fd040a585c8267ad720b66270babe14905e5.exe"
C:\Users\Admin\AppData\Local\Temp\sesyd.exe
"C:\Users\Admin\AppData\Local\Temp\sesyd.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
C:\Users\Admin\AppData\Local\Temp\ajfac.exe
"C:\Users\Admin\AppData\Local\Temp\ajfac.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11120 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.30.235:11120 | tcp | |
| JP | 133.242.129.155:11120 | tcp |
Files
memory/2692-0-0x0000000001080000-0x000000000124E000-memory.dmp
\Users\Admin\AppData\Local\Temp\sesyd.exe
| MD5 | 5e6c5f02833c880cd5f187efa2c4d52c |
| SHA1 | 5bc72c04261a6b04c55ab58bdeae4d1c4095889a |
| SHA256 | 7d7a97b1a5cf99352b4b489a97ec2d0badb9abe4df4a5931d4c891967579d915 |
| SHA512 | 5de8ee3bc7e1aa9dbe3f67d405729bdfbca82668167be02e949334e786e897ca0531d9ee397b9a5b86c2968319790ccc4c7da13a520bb218ebec9ce6f81228c7 |
memory/2692-8-0x0000000002CE0000-0x0000000002EAE000-memory.dmp
memory/2692-18-0x0000000001080000-0x000000000124E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
| MD5 | 117db6d7afcbb03d69800d2f80a2c95a |
| SHA1 | c62f92b9cbed27370779c69ea64c5ca3be549248 |
| SHA256 | 4121f9638d2997ba3876ecb738b77c4bfd5b9afc904d9203e89d54de73a6a5b2 |
| SHA512 | c97786ac50b1b8fb492176581a720f5b6dbf5362abde15ba92a5b57a1a360e16206279d57d4029edbc62f717d4e18d3b5614d8b7519d9625dbb6fb0aee80e220 |
memory/2108-17-0x00000000001D0000-0x000000000039E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 7096c2a6a3a44664d388127ea42894f6 |
| SHA1 | 34fd9eef0023e6390a9a83421df4691ccce2e6ad |
| SHA256 | 665981aa4f18b117daf461d9cb1b3752ad20365d8072a0b386dfc33ae6e65349 |
| SHA512 | 6a1f95a19cb3e37ae29cdb4d5ceb67d488656d94a8b42167c205c97d15f28e33d29332075cb24be8ec857fcf418feafab0d24f4f0f0f30586cb67267f65ec5f1 |
\Users\Admin\AppData\Local\Temp\ajfac.exe
| MD5 | cedb5dc06b430bfa90afc591fbe78c19 |
| SHA1 | fd98c22cfe66f964ca56f4ca5cdeb44e903c584d |
| SHA256 | 43d841a3a5752960fc818684f395b811af39a644be98cf74251a1aa01f089b46 |
| SHA512 | 93e650bec7b1b26db5eeb2b08c618929a16423c5124400a50e7dc7b1ce0ed55e4fae1fb6d93b49a68f3cc5ab37bb7b4b817209ef8c99612eaf15bdf22a176502 |
memory/2968-30-0x0000000000830000-0x00000000008C3000-memory.dmp
memory/2968-32-0x0000000000830000-0x00000000008C3000-memory.dmp
memory/2108-31-0x00000000001D0000-0x000000000039E000-memory.dmp
memory/2968-29-0x0000000000830000-0x00000000008C3000-memory.dmp
memory/2968-28-0x0000000000830000-0x00000000008C3000-memory.dmp
memory/2108-25-0x0000000003540000-0x00000000035D3000-memory.dmp
memory/2968-34-0x0000000000830000-0x00000000008C3000-memory.dmp
memory/2968-35-0x0000000000830000-0x00000000008C3000-memory.dmp
memory/2968-36-0x0000000000830000-0x00000000008C3000-memory.dmp
memory/2968-37-0x0000000000830000-0x00000000008C3000-memory.dmp
memory/2968-38-0x0000000000830000-0x00000000008C3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-09 20:09
Reported
2024-08-09 20:11
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3354897a23fb633c5d31978f5ed8fd040a585c8267ad720b66270babe14905e5.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kobif.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kobif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qyfer.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3354897a23fb633c5d31978f5ed8fd040a585c8267ad720b66270babe14905e5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kobif.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qyfer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3354897a23fb633c5d31978f5ed8fd040a585c8267ad720b66270babe14905e5.exe
"C:\Users\Admin\AppData\Local\Temp\3354897a23fb633c5d31978f5ed8fd040a585c8267ad720b66270babe14905e5.exe"
C:\Users\Admin\AppData\Local\Temp\kobif.exe
"C:\Users\Admin\AppData\Local\Temp\kobif.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
C:\Users\Admin\AppData\Local\Temp\qyfer.exe
"C:\Users\Admin\AppData\Local\Temp\qyfer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11120 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| KR | 218.54.30.235:11120 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| JP | 133.242.129.155:11120 | tcp | |
| NL | 52.111.243.31:443 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
memory/32-0-0x00000000006C0000-0x000000000088E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kobif.exe
| MD5 | bcc2524eda2a96d7349be6eb0f9b6cae |
| SHA1 | 4ea769c656edc5c33258df61209383bcc8d119e2 |
| SHA256 | 3b2e4c68fc6cd4c4368e9fa103cfaf641eb4a45e4cc12c2445dad0d57acf70e1 |
| SHA512 | eb3c7705fff7dbc3b9f96ba09c4a3e4c57fb97797f7559d32bd00b2734fe8fe136d3f7a538adfa84dd77d69d056927db6ab426dbbb3843e916b56a8d366ddb7d |
memory/4104-13-0x0000000000410000-0x00000000005DE000-memory.dmp
memory/32-14-0x00000000006C0000-0x000000000088E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
| MD5 | 117db6d7afcbb03d69800d2f80a2c95a |
| SHA1 | c62f92b9cbed27370779c69ea64c5ca3be549248 |
| SHA256 | 4121f9638d2997ba3876ecb738b77c4bfd5b9afc904d9203e89d54de73a6a5b2 |
| SHA512 | c97786ac50b1b8fb492176581a720f5b6dbf5362abde15ba92a5b57a1a360e16206279d57d4029edbc62f717d4e18d3b5614d8b7519d9625dbb6fb0aee80e220 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | c76e0309be1140f6d8bf65c548ba4736 |
| SHA1 | 7dfcbc2058ec165401c3c4f4563e5fba1549bda9 |
| SHA256 | 0b346f073333568ca6f34b4cefdb157cb7984ffac620f47fe817599a8821cc36 |
| SHA512 | 4750843c21345f2e67b74da613d9595b8fc849c6489645cf6056c4ac39c9a4776b49af7a1c12e8dbc5676f9e838b8754a7c9f959fc42200141cbdcf46d57b621 |
C:\Users\Admin\AppData\Local\Temp\qyfer.exe
| MD5 | 273b19058446e2de009a40bb3b0cea24 |
| SHA1 | a0f1ff4f68466016a9bdfb2fd009fb40e44eea2d |
| SHA256 | 33f5d706e9f00124e703da94806363c00040b31948e69db7804a50b4b3611185 |
| SHA512 | f4ec36e2838ebd64e2fa436ce29aed9751aad931c56e3b6e2969d4e879ec02158859828d88ec465e3bd808a7d6c1eebfe8338261c47371594f4b00984a4dfde9 |
memory/4100-28-0x0000000000C00000-0x0000000000C93000-memory.dmp
memory/4104-29-0x0000000000410000-0x00000000005DE000-memory.dmp
memory/4100-27-0x0000000000C00000-0x0000000000C93000-memory.dmp
memory/4100-26-0x0000000000C00000-0x0000000000C93000-memory.dmp
memory/4100-25-0x0000000000C00000-0x0000000000C93000-memory.dmp
memory/4100-31-0x0000000000C00000-0x0000000000C93000-memory.dmp
memory/4100-32-0x0000000000C00000-0x0000000000C93000-memory.dmp
memory/4100-33-0x0000000000C00000-0x0000000000C93000-memory.dmp
memory/4100-34-0x0000000000C00000-0x0000000000C93000-memory.dmp
memory/4100-35-0x0000000000C00000-0x0000000000C93000-memory.dmp